1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
|
#ifndef _IPXE_SBAT_H
#define _IPXE_SBAT_H
/** @file
*
* Secure Boot Advanced Targeting (SBAT)
*
* SBAT defines an encoding for security generation numbers stored as
* a CSV file within a special ".sbat" section in the signed binary.
* If a Secure Boot exploit is discovered then the generation number
* will be incremented alongside the corresponding fix.
*
* Platforms may then record the minimum generation number required
* for any given product. This allows for an efficient revocation
* mechanism that consumes minimal flash storage space (in contrast to
* the DBX mechanism, which allows for only a single-digit number of
* revocation events to ever take place across all possible signed
* binaries).
*/
FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
/**
* A single line within an SBAT CSV file
*
* @v name Machine-readable component name
* @v generation Security generation number
* @v vendor Human-readable vendor name
* @v package Human-readable package name
* @v version Human-readable package version
* @v uri Contact URI
* @ret line CSV line
*/
#define SBAT_LINE( name, generation, vendor, package, version, uri ) \
name "," _S2 ( generation ) "," vendor "," package "," \
version "," uri "\n"
/** SBAT format generation */
#define SBAT_GENERATION 1
/** Upstream security generation
*
* This represents the security generation of the upstream codebase.
* It will be incremented whenever a Secure Boot exploit is fixed in
* the upstream codebase.
*
* If you do not have commit access to the upstream iPXE repository,
* then you may not modify this value under any circumstances.
*/
#define IPXE_SBAT_GENERATION 1
/* Seriously, do not modify this value */
#if IPXE_SBAT_GENERATION != 1
#error "You may not modify IPXE_SBAT_GENERATION"
#endif
/** SBAT header line */
#define SBAT_HEADER \
SBAT_LINE ( "sbat", SBAT_GENERATION, "SBAT Version", "sbat", \
_S2 ( SBAT_GENERATION ), \
"https://github.com/rhboot/shim/blob/main/SBAT.md" )
/** Mark variable as being in the ".sbat" section */
#define __sbat __attribute__ (( section ( ".sbat" ), aligned ( 512 ) ))
extern const char sbat[] __sbat;
#endif /* _IPXE_SBAT_H */
|
